Field
Various features relate to communication techniques utilizing an Internet Protocol Version 6 (IPv6) platform for providing secure authentication between one or more user devices and a computer network entity, such as a server.
Background
IPv6 is an Internet Layer protocol for packet-switched internetworking and provides end-to-end datagram transmission across multiple IP networks, following the design principles developed in the previous version of the protocol, Internet Protocol Version 4 (IPv4). In addition to offering more addresses, IPv6 advantageously implements features not present in IPv4. It simplifies aspects of address assignment (e.g., stateless address auto-configuration), network renumbering, and router announcements when changing network connectivity providers. It simplifies processing of packets in routers by placing the responsibility for packet fragmentation into the end points. The IPv6 subnet size is standardized by fixing the size of the host identifier portion of an address to 64 bits to facilitate an automatic mechanism for forming the host identifier from link layer addressing information (e.g., media access control (MAC) address). Network security was a design requirement of the IPv6 architecture, and includes the original specification of Internet Protocol Security (IPsec), which is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.
For security purposes, computer network communications, such as web services, are starting to rely on user information such as the browser's user agent (e.g., browser) and/or source IP address to determine if the user is logging into the system from an unrecognized or unexpected location. Authenticated sessions may also be established between a user device (apparatus) and a network entity utilizing cookies or authentication tokens, which allows a certain level of “trust” to be established between a user device and a network entity, and may be accomplished using action-less logging. However, source IP addresses and browser user agents can be easily spoofed, giving web services little protection when a user's password, cookie, or authentication token is compromised.
Recently, techniques such as Cryptographically Generated Address (CGA) generation has been used to increase communication security by validating IP address ownership. CGA is an IPv6 address that has a host identifier computed from a cryptographic hash function, where a public signature key is bound to an IPv6 address in the Secure Neighbor Discovery Protocol (SEND). CGA techniques are typically used in local networks to authenticate ownership of an IP address. A CGA is formed by replacing the least-significant 64 bits of an 128-bit IPv6 address with a cryptographic hash of the public key of the address owner, and the messages are signed with a corresponding private key. The verifier (e.g., local router) may authenticate the message from that corresponding sender only if the source address and the public key are known. This method requires no public key infrastructure. Valid CGAs may be generated by any sender, including a potential attacker, but they cannot use any existing CGAs.
Although CGA is a promising security technique for use with IPv6 addresses, there are limitations and disadvantages. The main disadvantage of using CGA is the high overhead and computational time necessary to generate the address. Also, CGA is not a complete security solution, it solves IP address ownership only on the local area network and still exhibits weaknesses and vulnerabilities to threats. For instance, CGA cannot provide the assurance needed with respect to the authority of the node so there is no guarantee that the CGA address was created from the appropriate node. Attackers on a local network can thus exploit this weakness to create a new valid address from their own public key. Attackers on the local network can also capture Neighbor Discovery (ND) messages and alter the sender's CGA parameters. When this happens the CGA verification process on the receiver's side will fail. Thus the communication between a legitimate sender and receiver is prevented. It is also possible for an attacker to conduct a Duplicate Address Detection DoS Attack which will prevent a CGA node from joining a link. An attacker can copy the CGA parameters and the signature and then respond with a Neighbor Advertisement (NA) message that contains the same security parameters. In this way the attacker can prevent the CGA address configuration for all nodes attached to a local link. Another type of attack is one in which the victim's node is kept busy with the verification process. An attacker will inundate the verifier with valid or invalid CGA signed messages.
Accordingly, there is a need for techniques and technologies for connecting a user device to a network entity, such as a server, that is relatively secure across wide area networks and requires little to no overhead. Further techniques are needed to provide a remote network solution for verifying an IP address.